Composing an abuse report

What to send, how to send it, where to send it – and what not to send or do.

‘Personal firewall’ pitfalls

A few other caveats

Remember that these addresses are special

IPv4

IPv6

You may also find Team Cymru’s list of bogons useful.

Consider sending your reports through a service

…such as DShield FightBack or myNetWatchman (for intrusion attempts), or SpamCop (for unsolicited bulk email).

They may:

General advice on reporting

What to send

Email and Netnews abuse

Usually, you should simply forward the abusive message in full, without editing it in any way. The visual presentation a mail or news reader offers is often very different from the actual message format, so it might not be enough to just copy what you see and paste it into your report – you must forward the original message, including all header lines. An email abuse report without ‘Received:’ lines, or a Netnews abuse report without a ‘Path:’ line, is probably useless.

Sometimes you may want to edit the message in order to anonymise the original email recipient. If you alter e.g. the ‘Received:’ and ‘To:’ lines, please make it obvious; the de facto standard is to replace the recipient information with the string ‘x’ (without the quotation marks), as in:

Received: from leo (61-217-61-120.HINET-IP.hinet.net [61.217.61.120])by walrus.megabaud.fi (8.11.3+3.4W/8.11.3) with SMTP id fBP9P1V03370 for <x>; Thu, 25 Dec 2008 11:25:03 +0200 (EET)
To: x

Extremely large messages, as well as messages that contain malicious software, are also exceptions to the forward-in-entirety rule; instead of forwarding e.g. a Trojan or a 20-megabyte Microsoft Office document, add a note describing the size and content of the attachment. If appropriate, include a plain-text sample.

Unauthorised access attempts, denial of service attacks and similar activity

Send the relevant log lines from the device (such as your firewall, router or server) on which you detected the attack. State that the traffic in question was unauthorised, and indicate whether the target systems were running services intended for the general public (the originators might try the ‘I had permission to scan the network for security holes’ and/or the ‘I was trying to use a public service’ excuses). Especially if the log format is not self-explanatory, add a descriptive header line, such as ‘type,date,time,source,destination,transport’.

What to add

In typical cases, no ‘cover letter’ is necessary, but sometimes a couple of explanatory lines may be useful, such as when:

Additionally, you may want to use one of the following tags in your ‘Subject:’ line to specify the medium on which the abuse was perpetrated:

[email]
Internet email
[usenet]
Netnews (including non-Usenet groups)
[irc]
Internet Relay Chat
[icq]
ICQ
[chat]
Other chat media
[misc]
Other media

… and what not to add

Where to send your report

If you decide to mail the ISP directly, keep in mind the convention of using the abuse mailbox of the provider, e.g. abuse@example.net. Do not needlessly ‘shotgun’ your report to a ‘bitch list’ of addresses. If the abuse address does not work, chances are the organization in question would not know what to do with an abuse report anyway; in such a case, you should probably contact the uplink provider's abuse desk instead.

Abuse reports are normally not sent to RIRs or to the IANA, as these organizations are not access providers. However, recent discussion indicates that the community does wish for RIRs to take actions against abusive ISPs.

Please double-check to make sure you do not send your report to an innocent bystander. Spam-reporting software will frequently mislead you. For example, one widely used lookup tool directed complaints regarding a certain /16 network to us just because we were responsible for the first /19 chunk. In addition, remember that email and Netnews headers are easy to falsify; do not complain to forgery victims.

Commonly falsified email headers

HeaderComments
Date:The message may appear older or newer than it is.
From:The address of the purported sender of a spam message is usually forged.
To:There are often several recipients per spam message, even if the ‘To:’ line lists only one address. The actual recipients are always listed in the RCPT command, which is part of SMTP; the ‘To:’ line does not define the destination of the message.
Received:To make the message more difficult to trace, the spammer may ‘preload’ it with one or more forged ‘Received:’ headers. You can rely on the ‘Received:’ line that your mail server wrote, but you should treat any others with suspicion.

Third parties may be interested in your abuse case

Summary

  1. Consider whether the issue really should be reported to an ISP.
  2. If a personal firewall detected the issue, reconsider whether to file a report.
  3. Make sure you have identified the provider correctly.
  4. If you contact an ISP, write to its abuse address (e.g. abuse@example.net).
  5. Use plain text.
  6. You should usually describe the incident by sending either a complete ‘raw’ message copy or the relevant log lines.
  7. Advise the recipient regarding any difference (such as clock error or time zone offset) between your time stamps and UTC.
  8. If you follow up on your report later, include sufficient background information.

Google’s use of the DART cookie enables Google to serve ads to you based on your visits to this and other websites. If you do not wish to use the DART cookie, please opt out on the privacy policy page for Google’s ad-and-content network. Additionally, you can usually specify your cookie preferences in your browser settings.

Any trademarks or registered trademarks mentioned on this site belong to their respective owners. Conventional hyperlinking to this site is welcome. However, none of the content on this site may be shown, even partly, in a context inferring or claiming it to be part of or sponsored by any other organisation or site. Such prohibited techniques include (but are not limited to) framesets, interstitial pages, kiosk mode pop-ups and reverse proxies. — For information on advertising, please click on the ‘Ads by Google’ or ‘AdChoices’ link next to any advertisement.

54.226.235.222 ec2-54-226-235-222.compute-1.amazonaws.com
(none) CCBot/2.0 (http://commoncrawl.org/faq/)
/irt/abuse-report-clues.shtml /irt/abuse-report-clues.shtml Tuesday, 30-Sep-2014 15:49:02 GMT